Victor Julien [Fri, 3 May 2019 05:13:00 +0000 (07:13 +0200)]
valgrind: support hyperscan warning
Issue on Ubuntu 19.04.
==18655== Conditional jump or move depends on uninitialised value(s)
==18655== at 0x5454603: hs_alloc_scratch (in /usr/lib/x86_64-linux-gnu/libhs.so.5.1.0)
==18655== by 0x3D5C9A: SCHSPreparePatterns (util-mpm-hs.c:707)
==18655== by 0x215FEC: DetectMpmPrepareBuiltinMpms (detect-engine-mpm.c:364)
==18655== by 0x20813A: SigGroupBuild (detect-engine-build.c:1932)
==18655== by 0x21287B: SigLoadSignatures (detect-engine-loader.c:366)
==18655== by 0x35A702: LoadSignatures (suricata.c:2419)
==18655== by 0x35B0DD: PostConfLoadedDetectSetup (suricata.c:2574)
==18655== by 0x35C827: main (suricata.c:2986)
Alexander Bluhm [Mon, 18 Mar 2019 13:06:39 +0000 (14:06 +0100)]
Avoid use-after-free during pid file cleanup.
In case the pid file is given in the config file, the file name is
stored in volatile memory. Removal of the pid file happens after
cleanup of config memory. Create a copy of the name which will be
freed after the pid file has been removed.
Victor Julien [Mon, 18 Mar 2019 09:34:03 +0000 (10:34 +0100)]
detect: fix match array reset
Fix match array reset depending on prefilter matches for the
current run. If there were none, the match array of the previous
packet was used. This could lead to inspection of rules from the
wrong rule group.
Giuseppe Longo [Sat, 9 Mar 2019 21:36:03 +0000 (22:36 +0100)]
detect-iprep: fix memory leaks
Loading rules with iprep keyword cause
memory leaks due to missing frees.
Direct leak of 8 byte(s) in 4 object(s) allocated from:
#0 0x7f81c862bd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x7f81c6afea69 in pcre_get_substring (/lib/x86_64-linux-gnu/libpcre.so.3+0x27a69)
#2 0x43206f7420676e68 (<unknown module>)
SUMMARY: AddressSanitizer: 8 byte(s) leaked in 4 allocation(s).
Eric Leblond [Mon, 18 Feb 2019 21:31:26 +0000 (22:31 +0100)]
detect-flowbits: error on some invalid syntax
The regular expression was accepting something like
"flowbits:!isset,isma;" without complaining even if it is not
correct and don't have the expected result.
rust/ikev2: fix events not being raised in first message
The `set_event` function requires that the transaction is already
inserted, or the event set is silently lost.
When parsing first IKEv2 message, first insert transaction, prepare
values, and borrow back inserted transaction to update it.
Murat Balaban [Wed, 27 Feb 2019 17:09:13 +0000 (09:09 -0800)]
netmap: refresh netmap_if address after each NIOCREGIF
With the introduction of netmap "partial opening" feature
netmap requires that we get a new NETMAP_IF pointer after
every `NIOCREGIF` registration. Because this allocates an
independent instance of `struct netmap_if`. If one
separately opens hw rings and sw rings he/she'll get two
`struct netmap_if`, one with the valid hw rings, and the other
with valid sw rings.
Because of that we get a new netmap_if pointer after each
NIOCREGIF.
Also removing netmap_if struct from NetmapDevice since
it's no more required.
Victor Julien [Fri, 22 Feb 2019 19:41:41 +0000 (20:41 +0100)]
ips/stream: handle low mem(cap) crash
In low memory or memcap reached conditions a crash could happen in
inline stream detection.
The crash had the following path:
A packet would come in and it's data was added to the stream. Due
to earlier packet loss, the stream buffer uses a stream buffer block
tree to track the data blocks. When trying to add the current packets
block to the tree, the memory limit was reached and the add fails.
A bit later in the pipeline for the same packet, the inline stream
mpm inspection function gets the data to inspect. For inline mode
this is the current packet + stream data before and after the packet,
if available.
The code looking up the packets data in the stream would not
consider the possibility that the stream block returned wasn't
the right one. The tree search returns either the correct or the
next block. In adjusting the returned block to add the extra stream
data it would miscalculate offsets leading to a corrupt pointer to the
data.
This patch more carefully checks the result of the lookup, and
falls back to simply inspecting the packet payload if the lookup
didn't produce the expected result.
Mats Klepsland [Sat, 16 Feb 2019 20:55:19 +0000 (21:55 +0100)]
app-layer-ssl: check that cipher suites length is divisible by two
Cipher suites length should always be divisible by two. If it is a
odd number, which should not happen with normal traffic, it ends up
reading one byte too much.
No resizing is done in Ja3BufferResizeIfFull() when the buffer is
empty. This leads to a potential overflow when this happens, since
a ',' is appended even when the buffer is empty.
Jason Ish [Thu, 7 Feb 2019 19:53:23 +0000 (13:53 -0600)]
issue 2795: python 3 fix in Rust C header gen
The C header generation script was failing with a unicode error
in Python 3 on FreeBSD. Fix the reading of files to properly
handle unicode in all Python 3 environments.
Fabrice Fontaine [Thu, 31 Jan 2019 07:56:15 +0000 (08:56 +0100)]
configure.ac: fix --{disable,enable}-xxx options
Currently, if the user provides --enable-libmagic or
--disable-libmagic, libmagic will be disabled because $enableval is not
used to know if the user provided --enable or --disable
Most of the options have this issue so fix them all by using $enableval
Victor Julien [Fri, 18 Jan 2019 14:03:39 +0000 (15:03 +0100)]
stream: fix false negative on bad RST
If a bad RST was received the stream inspection would not happen
for that packet, but it would still move the 'raw progress' tracker
forward. Following good packets would then fail to detect anything
before the 'raw progress' position.
Victor Julien [Wed, 23 Jan 2019 20:18:59 +0000 (21:18 +0100)]
eve: fix missing decoder-events in stats
In the eve log the decoder events are added as optional counters. This
behaviour is enabled by default. However, lots of the counters are
missing, as the names colide with other counters.
E.g.
decoder.ipv6 counts ipv6 packets
decoder.ipv6.unknown_next_header counts how often an unknown next
header is encountered.
In this example 'ipv6' would be both a json integer and a json object.
It appears that jansson favours the first that is generated, so the
event counters are mostly missing.
This patch registers them as 'decoder.events.<event>' instead. As
these names are generated on the fly, a hash table to contain the
allocated strings was added as well.
Victor Julien [Tue, 22 Jan 2019 20:00:57 +0000 (21:00 +0100)]
af-packet: fix sync start for tpacket v3
The tpacket-v3 implementation of the synchonize start logic would
not correctly consider the timestamp parameter, leading to threads
starting before synchronization between threads was complete.
Victor Julien [Wed, 19 Dec 2018 10:49:42 +0000 (11:49 +0100)]
proto/detect: workaround dns misdetected as dcerpc
The DCERPC UDP detection would misfire on DNS with transaction
ID 0x0400. This would happen as the protocol detection engine
gives preference to pattern based detection over probing parsers for
performance reasons.
This hack/workaround fixes this specific case by still running the
probing parser if DCERPC has been detected on UDP. The probing
parser result will take precedence.
Victor Julien [Wed, 19 Dec 2018 08:45:35 +0000 (09:45 +0100)]
teredo: be stricter on what to consider valid teredo
Invalid Teredo can lead to valid DNS traffic (or other UDP traffic)
being misdetected as Teredo. This leads to false negatives in the
UDP payload inspection.
Make the teredo code only consider a packet teredo if the encapsulated
data was decoded without any 'invalid' events being set.
projects / thirdparty / suricata.git / log
